Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Reverse Deception: Organized Cyber Threat Counter-Exploitation (118 page)
Domain checkers (resilience provider services) login/password
This level of detail was performed in 2010 on more than 100 SpyEye CnC servers using a legal method that circumvented a flaw in session management between the collector and the gate of the SpyEye CnC server application. This allowed the team to infiltrate and collect the true identities of more than 100 active cyber criminals around the world operating and maintaining SpyEye botnets (little will they know until they read this book).
The most important part of the hacking back decision is whether you have legal authority to do so. If not, there is always the old hacker’s philosophy of don’t tell a soul and don’t get caught, and deny everything, and then direct anyone with questions to your lawyer.
Remember that we do not condone participating in illegal activities. However, there are circumstances where your organization will have the authority to perform some level of attack and exploitation against a criminal’s infrastructure, and we would rather have you on the right side of the law, which could advance your career. Otherwise, your career could take a drastic turn for the worst.
To What End?
Now that we have discussed the methods you can take to engage an active threat either passively or aggressively, we need to consider your “end game,” or your overall goals, which need to be planned up front. You must have an end game in mind when you approach a problem, or you won’t have a clear path to success or failure.
Do you want to simply gather intelligence on a threat and use that internally, or do you desire to engage LE and go the prosecutable route? That is a question only the legal or executive management can decide at the beginning of the effort per event and/or in accordance with a blanket policy that outlines how specific incidents should be handled by the various security teams within your organization.
By engaging the threat’s criminal infrastructure, will you increase the chances of retribution, or will you down the threat’s entire network? These are the things you need to think about up front before moving forward.
Finally, consider the impact of public reviews if it is discovered that your organization is working with LE to identify an organized or persistent threat. Refer back to
Chapter 5
for a refresher on the legal perspective, what types of data are needed by LE, and how you can be best prepared.
Understanding Lines (Not to Cross)
Numerous national and international cyber laws apply to various countries. You need to fully understand the implications of your actions no matter which country you live in and which country is hosting the IP address. Some countries will look the other way if you are investigating a foreign criminal network. Other countries, like the United States, will prosecute you for going rogue and doing it alone.
There are numerous lines you should not cross. Again, we refer you to
Chapter 5
, which discusses online resources for information about cyber laws at large.
Remember that the criminals know the Achilles’ heel of security professionals. We have laws and ethics that draw a clear line you are not supposed to cross without prior authorization. Whatever country you live in, you should do some research on those laws and your boundaries in performing aggressive/active engagement of a specific threat or actor before you begin any type of in-depth investigation.
Conclusion
You have read a lot about the tools that can be used to circumvent a threat’s tactics and what you can do to better identify and weigh a threat’s severity within your network. There are numerous techniques and tactics that enable you, the counterintelligence analyst or operator, to engage an active threat, as discussed in
Chapters 7
,
8
, and
9
. Although international laws inhibit some tactics, you always have the option of working with LE, which can open certain doors and avenues you may have not thought possible. Please investigate what you can do and what you should not do from a legal and ethical position for your own career.
In the next chapter, we will wrap up all of these combined tools, tactics, and techniques and their ability to validate your organization’s security posture moving forward following various targeted and opportunistic threats.
CHAPTER
13
Implementation and Validation
N
ow that you have worked through the book and made your plans, you may need to define some level of success metrics or assurances for the stakeholders of your organization that you will be able to use to demonstrate that your operation succeeded. Or perhaps you’ve implemented your solution and need to know whether your planning, operations, and activities have been successful. In this chapter, we will wrap up what you’ve learned with the validation of your implemented operations.
However, not all threats or criminals operate in the same way. For the purpose of this book, we are focusing on what is in the public domain to keep the authors out of jail due to the combined in-depth knowledge we have of actual attribution of specific targeted threats and the players behind each campaign. I (Sean Bodmer) have digital images of numerous criminals and state-sponsored threats and can tie them directly to specific events that have occurred over the past several years. Some of these individuals have even approached the authors at overseas conferences and vacations in order to learn more about what we know about them.
One of the first key steps to identifying whether this tradecraft has been successful is validating your own knowledge of what could be occurring on the network. Another factor is validating that your entire deception plan was implemented in a manner that is successful and at the point “was” a part of your planned operation. Finally, the overall outcome of the operation and the observed events prior to, during, and after operations need to be validated.
